Network access control brings together four components: authentication, enforcement, endpoint security and management. While every network manager may select a different mix of these four, the "killer app" part of NAC is definitely endpoint security assessment. We've had enforcement and authentication for a while, and people haven't been very excited about them. But add in endpoint security, and suddenly the pain of implementing NAC is nowhere as bad as the pain of having some Trojan horse botnet use your network to promote fake Rolexes and generic sex pills.
Endpoint security and network access control require taking a lifecycle view of network and client security. It's not enough to say, "We check your PC and if it's OK, you get on the network." Instead, any endpoint security strategy has to be focused on keeping people on the network, not keeping them off. That means building a lifecycle approach, starting with assessment and monitoring, then remediation (if necessary), followed by enforcement integration, all wrapped up within a global policy definition and management structure.
Endpoint security usually begins with posture assessment, and this is the easiest to understand and build into your lifecycle. There are many product choices here, such as installed clients, downloadable bits of software, assessment strategies based on external scanners and vulnerability analyzers. No matter the choice, the goal is to figure out whether someone who wants to connect to the network should be allowed to do so.
Some NAC security vendors mistake policy compliance (e.g., does this system have a virus scanner installed?) for safe computing (e.g., is this system infected with a virus?). Don't let their naïve views of things confuse you. Instead, focus on the lifecycle and realize that even if a machine is found to be acting badly, there are additional tools to help. This is where monitoring, the second part of the endpoint security lifecycle, comes in.
One obvious kind of monitoring can be done on the client itself, assuming an application is running there that can watch the status of the system. Some vendors call that "continuous enforcement;" others use the unwieldy "post-admission NAC" term. No matter how it's labeled, this part of the lifecycle acknowledges that just because someone smelled nice when they connected doesn't mean that they'll always be so sweet.
One problem with software running on or near the network client is that it can lie, or be lied to. A dispassionate third party helps here. Solid NAC strategies have definite feedback loops based on the ability to monitor what is actually happening on the network. You might start with existing IDS sensors and their alerts, or flow data from routers or firewalls. You'll also find folks with vulnerability analyzers or endpoint discovery tools ready to hook into a good network access control framework to provide further information on the health of a system after it's been connected.
Any time an endpoint security strategy can result in the prohibition of network access, remediation becomes a mandatory part of the lifecycle. This is one part of NAC where it pays to splurge. You might get away with simply dumping clients onto a VLAN where patches and antivirus updates can be downloaded and applied -- at least until someone important is kept from doing their job. But for best success, carefully investigate one of the many commercial tools that can help catch the user's attention, alert them to what is going on and walk them through whatever it takes to get them onto the network. This is one area of NAC, unfortunately, where an open source approach doesn't offer the tools that are required.
Remediation strategies should not be based on auto-remediation, whenever possible. Auto-remediation means that the client should automatically update itself and change configurations to bring itself into compliance, as determined by the NAC security policy. Auto-remediation is generally possibly only when systems are centrally managed by enterprise IT.
Enforcement integration is always part of an endpoint security strategy. It might be interesting to know that Stacie's laptop has the wrong version of the antivirus scanner, but it's a lot more useful to push that information back into the network access control infrastructure so that it can enforce policy. While early endpoint security tools focused more on reporting, the integration between network access control devices and endpoint security detection is a hallmark of modern products. Another key part of the lifecycle is feeding the status of endpoint security into the NAC enforcement mechanism. As the user's system moves from suspect, to scanned, to remediation, to compliant, NAC enforcement needs to keep up.
Finally, all these pieces need to be wrapped up nicely into a single policy management system. NAC may be bringing together many different components from all over the network, but if there's no consistent and overarching policy management system, the result will be chaos. This is harder than it seems, not just because of the technical challenges, but also due to organizational barriers. With a proper NAC and endpoint security strategy in place, people ranging from desktop system managers to infrastructure designers to firewall managers are all going to have to sit down and agree to share information and, in some cases, cede a certain amount of control to another group.
Once you've created an endpoint security lifecycle, and integrated it into your NAC architecture, you're one step closer to a successful NAC deployment.
About the author:
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Arizona. He spends most of his time helping people build larger, faster, safer and more reliable networks. He is a frequent contributor to Information Security magazine and has advised and trained thousands of people privately and at conferences around the world on networking, security, messaging and VPNs.
SECURITY SCHOOL MENU
School home: Integration of Networking and Security School
Lesson home: Locking down the endpoint - How NAC can boost host security
Webcast: NAC and endpoint security demystified
Podcast: Top 5 questions to ask when shopping for endpoint security
Quiz: Locking down the endpoint
This was first published in March 2007